The storage test generator doesn't support JPAKE at this time. So write a
test case manually.
The key is not exercised, since `psa_exercise_key()` doesn't support PAKE at
this time. But at least we can use this test case to ensure that we know how
the key is represented in storage.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
(cherry picked from commit 98a4029d51)
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Partial backport of "Update all except "Asymmetric cryptography" for
TF-PSA-Crypto", including only clarifications and the extra information
about migrating to `MBEDTLS_PSA_CRYPTO_CONFIG` that are also relevant in
3.6.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The program uses atoi() unconditionally, so it should include stdlib.h
unconditionally. Previously this happened to be indirectly included by
some other header (via pk.h via ssl.h) but we should not rely on that.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This has been the case for a while, but we forgot to update the readme.
Don't prominently label it a "reference" implementation. That implies that
it's a complete implementation, but it isn't: we do not intend to implement
every mechanism that the PSA specification has an encoding for. That also
tends to imply that it's for demonstration purposes and not ready for
production, but Mbed TLS is intended to be used in production.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Integrators in a client-server architecture need to provide this function on
the client side.
Fixesmbedtls/issues#10341.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `psa_cipher_decrypt()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_decrypt()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.
With this change, `psa_cipher_decrypt()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `psa_cipher_finish()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_finish()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.
With this change, `psa_cipher_finish()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
